I'm trying to upgrade JHipster to use Spring Boot 2.4. The app I'm testing has a Spring Security Configuration that enables OAuth Login and sets up a resource server with Spring Security:
.and()
.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(authenticationConverter())
.and()
.and()
.oauth2Client();
After upgrading to Spring Boot 2.4, my GrantedAuthoritiesMapper bean is no longer invoked, so my authorities are no longer translated. Any idea why?
/**
* Map authorities from "groups" or "roles" claim in ID Token.
*
* @return a {@link GrantedAuthoritiesMapper} that maps groups from
* the IdP to Spring Security Authorities.
*/
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return authorities -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(
authority -> {
// Check for OidcUserAuthority because Spring Security 5.2 returns
// each scope as a GrantedAuthority, which we don't care about.
if (authority instanceof OidcUserAuthority) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
mappedAuthorities.addAll(SecurityUtils.extractAuthorityFromClaims(oidcUserAuthority.getUserInfo().getClaims()));
}
}
);
return mappedAuthorities;
};
}
I figured it out. Spring Security 5.4.0 removed the default scopes, so I had to add the following property:
scope: openid,profile,email
See this commit for more info.